The European Data Protection Board (the EDPB) recently released two statements in quick succession relating to the effects of COVID-19 on data protection. The statements focused on: 1) interoperability of contact tracing apps; and 2) reopening of borders following the outbreak. This follows the EDPB publishing two official Guidelines back in April focusing on processing personal data for scientific research and the use of location data and contact tracing tools, both in the context of COVID-19. The general stance taken by the EDPB here is consistent with that of most data protection regulators across the EU and the UK, namely: whilst data protection legislation is not intended to be a hindrance to fighting the pandemic, the law is still the law and must be complied with.
The primary role of the EDPB is to ensure the correct application of the GDPR so whilst the GDPR is still applicable in the UK, the EDPB’s Guidelines and statements will apply to the UK. Furthermore, when the transition period is over and the UK has implemented its version of the GDPR, given the expectation that the replacement legislation will mirror the GDPR almost entirely, the Guidelines and statements from the EDPB will continue to have a persuasive effect.
We have detailed below the key points raised by the EDPB in the above mentioned statements.
Interoperability of contact tracing
In the EDPB Guidelines on location data and contact tracing, the EDPB encouraged having a “common European approach in response to the current crisis, or at least put in place an interoperable framework”. This mirrors the approach suggested in the Common EU Toolbox for Member States which provided guidance on how Member States should develop and implement contact tracing (further information on this can be accessed here).
Interoperability in this context means contact tracing apps being able to exchange information with other such apps developed across EU Member States so that an app user of one EU Member state app can be alerted if they have been in proximity with a user of another Member State app who has tested positive for COVID-19.
The purpose of the statement by the EDPB is to further elaborate on the level of impact that an interoperable implementation can entail on the right to data protection. The key points the EDPB highlighted in this respect were as follows:
- As always with data processing, transparency for the data subjects is of paramount importance.If an app is developed with interoperability in place, data subjects need to be made aware of this, including details of those with whom their data will be shared.
- With respect to the lawful basis of the controller, the EDPB refers back to its original Guidelines in this area which, in summary, explain that the use of contact tracing apps generally can be based on either public interest or consent.The EDPB notes that both grounds would also be viable options for interoperability.However, importantly, it should be highlighted that as interoperability would be a processing activity in its own respect, a further legal basis analysis should be carried out by any controller seeking to implement interoperability.
- It is imperative that an analysis be undertaken by those organisations wishing to share data, including with respect to the respective roles, relationships and responsibilities of the organisations.The EDPB notes, for example, that the organisations may be controllers or joint controllers, and that both may have appointed processors.Such a model with potentially wide and convoluted data flows should be mapped and carefully analysed to ensure it is compliant with the law and that the rights of the data subjects are respected.
- Interoperability should not lead to, or be seen to permit, an increased collection or storage of data.The EDPB therefore suggests a common level of data minimisation and data retention be considered in order to promote effective application of the principles.
- Data security should not be negatively affected by interoperability with a key area to consider in this respect being data in transit.For those developers wishing to implement interoperability within an existing app, any security analysis undertaken to date may not sufficiently identify the risks posed specifically by interoperability as regards data processing.
Reopening of borders
In light of recent communications from the European Commission, along with proactive steps taken by some EU Member States, with respect to lifting internal border controls and lifting restrictions on the free movements of persons around the EU, the EDPB issued this statement acknowledging that the opening of borders is, in part, made possible by the processing of personal data at the borders. This could be personal data of EU citizens or any other person seeking to enter an EU Member, subject to national Member State laws. The EDPB states that while it is “fully aware of the relevance of the fundamental right to health, the said measures cannot in any case suppose an erosion of the persons’ fundamental rights and freedoms and of the right to data protection”. The EDPB’s intention therefore in the statement is to “strike a balance” between the potentially conflicting fundamental rights in the context of COVID-19.
As with interoperability and contact tracing, the EDPB suggests EU Member States take a common EU approach when deciding which processing of personal data is necessary to ensure that the risk of the pandemic spreading is mitigated. Respect must also be given to the fundamental rights and freedoms of individuals. The EDPB goes on to emphasise particular aspects of data protection legislation which require “special attention” by Member States, including:
- Lawfulness, fairness and transparency: the processing should be justifiable and based on a valid lawful basis, and data subjects should be fully informed of the data processing undertaken.
- Purpose limitation: the processing of data should be limited to combating COVID-19 and preventing its spread across borders.It should not be further processed by Member States during or after the pandemic.
- Security of data: based on a risk assessment which takes into consideration that highly sensitive information may be processed in this respect, Member States must ensure an appropriate level of security has been implemented and is maintained.
- Data Protection by Design and Default: those processes, procedures and other methods used with respect to COVID-19 that process personal data should all be developed with data protection compliance as a key pillar.In doing so, Member States should always conduct and maintain a Data Protection Impact Assessment.
- Automated individual decision making: the decision whether to allow a person entrance into a country should not be based only on the available technology.A person should have a right, amongst other things, to obtain an explanation of the decision reached after such assessment and challenge the decision.
The EDPB closes the statement by stressing the importance of Member States intending to process personal data for COVID-19 purposes to only do so with the prior consultation of competent national data protection authorities.
What should we take from the statements?
Along with the published Guidelines, the statements are extremely transparent as to the EDPB’s views on processing personal data in the context of COVID-19: whilst the pandemic is having a detrimental effect on a global scale, this does not permit organisations, both public and private, to flout the data protection rules. The GDPR, and related legislation and guidance, were implemented because in the current age, the risks to individuals’ personal data can be huge and must be protected. Such risks and protections should not be overlooked in favour of other issues. While the statements focus on particular data processing activities in the context of COVID-19, the general suggestions made by the EDPB, for example with respect to lawfulness and security, should be considered by all organisations processing personal data, whether for COVID-19 purposes or not. The EDPB has made the message clear again: organisations need to ensure their processes and procedures which involve the processing of personal data are in compliance with the law at all times.